A Real-World Password Policy For Your Firm

Security is the prevailing concern in the world of technology today. Everyone, not just IT professionals, should be worried about the security of their data. Network Administrators go to great lengths to secure their networks from attacks, both internal and external. Perhaps the most overlooked layer of security is also the most potentially dangerous – passwords. This layer of security relies on you, the user, to ensure that your password is protected and private. Passwords are your key to the network. They give you access to some very important and very sensitive resources. Every organization needs to adapt a password policy to ensure that passwords are kept secure and confidential. Some networks have no password authentication at all. Other organizations have ultra-restrictive password policies. An example of such a policy appears below:

Users must:

Use at least 6 characters

Use at least two letters (one uppercase and one lowercase)

Use at least one number

Use at least non-alphanumeric character: {}[],.;:'"?/|\`~!@#$%^&*()_-+=

Change their password every 45 days (a password expiration policy mandated through the network)

Users must not:

Use a whole word (a dictionary word)

Reuse a previous password

Write their password down

Store their password in any electronic document

Share their password with anyone else

This is an example of a great policy that covers all the bases. Passwords created under these guidelines would be very difficult for an attacker to retrieve. Unless both your IT Department and your users are obsessive, however, chances are this policy will not be effective in practice. Although you can mandate this as a policy, what are the odds you will be able to enforce each one of the points listed above? There are two main problems with passwords which this policy attempts to address but ultimately will fail to do so.

The two biggest problems with passwords are "memorability" and "shareability".

"Memorability" deals with the ability for a user to remember his or her password. If no policy is in place, the user is likely to pick something very easy to remember, like the name of a child or a favorite sports team, or worst of all, simply "password". These are fairly easy targets; an attacker can establish these without much effort. As stricter password policies are implemented, it will be more and more difficult for a user to remember their password.

Take the above restrictions, for example. An acceptable password that meets all the listed criteria might be "Pa$$w0rd". This should be fairly easy to remember. The problem arises in 45 days, when the password must be changed. The new password may be "pa$$W0rd", the next "pA$$w0rd". As these passwords are changed, it will be increasingly difficult to remember what combination of letters, cases, numbers, and symbols are used. It will also be difficult to remember what has been used in the past, since the reuse of a password is restricted.

So what does a user do when he or she has a hard time remembering a password? They write it down. Often, this is a simple sticky note under the mouse pad, in a desk drawer, or, worst of all, taped to the monitor. This is obviously not a good practice; passwords that are this easily accessible are just asking to fall into the wrong hands. Not to mention, these are also the first places an attacker might look.

Another trick users do to help remember passwords is to assign a number sequence to them. For example, "Pa$$w0rd01" followed by "Pa$$w0rd02" and "Pa$$w0rd03". Sequential passwords can be very insecure; if an attacker somehow figures out the password, all they would have to do is determine what number you are on in the sequence.

The best cure for "memorability" problems is to form good password habits. This might be accomplished by loosening some of your policy restrictions; shortening the frequency of password expiration to reduce the number of password changes, for example. Even better, have users experiment with different methods of creating passwords. Use letter combinations to represent phrases that you can remember. For example, "bBma3.14" could represent "Bye, Bye, Miss American Pie". Get creative! Anything that will help you remember your password without needing to write it down. The trick is to educate users across your organization to help them form good habits; otherwise, the sticky notes will start to appear and that is what you want to prevent!

"Shareability" refers to the sharing of passwords. There are several instances where passwords may be shared between users. Often, in an environment when multiple users work need access to the same machine, they will simply share one user’s password. Another common instance of sharing occurs between a manager and an assistant, where the manager needs the assistant to handle a duty that requires the manager’s level of access. "Shareability" issues can be fixed through the permissions granted to each user account through the network. A model network should completely prevent the sharing of passwords. Each user should have access to the resources they need to do their job and should not need to use anyone else’s passwords or share their own.

The best policy for passwords is be smart. Understand what privileges are associated with your password and treat its security accordingly. I compare a network to a paper office. There are some documents that are pretty harmless; you may leave these lying on your desk. There are other documents that are very sensitive; you might keep these in a locked fireproof box. A network is the same way; there are some items that are very public and some items that are very private. Chances are you have access to some fairly private, sensitive information. That access is granted through your password. Safeguard that password with the same level of security as you would the information it protects.

John D. McCall is the Network Administrator and Webmaster for Boomer Consulting, Inc., an organization devoted to the application of computer technology and management consulting, located in Manhattan, Kansas.